Privacy Policy

I. Purpose of the privacy notice

The scope of this notice covers the data processing applied on the Controller’s website (https://lottirose.com/), on its social interfaces and during e-mail messaging as well as the Controller’s offline data processing. The latest effective version of this privacy notice is continuously available on the following website: lottirose.com

The company’s data processing principles are in line with the effective data protection legislation, including in particular

• Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereafter: Information Act),
• Regulation (EU) No. 2016/679 of The European Parliament and of the Council (hereinafter: GDPR), and
• Act XLVII of 1997 on Processing and Protection of Medical and Other Related Personal Data.

The Controller reserves the right to amend the prospectus with the intention of improving it.

Below is a description of my company’s data processing practices.

II Controller

Name: Lottirose Kft.

Registered office: 1174 Budapest Risztics János utca /2.

Tel.: +36203809926

E-mail address: business@lottirose.com

Tax number: 27901148-2-42

III Contact details of the data protection officer

We do not engage in any activity that would justify the use of a data protection officer.

IV. Basic principles

1. Personal data may be managed solely for a specified purpose, in the interests of exercising a right or fulfilling an obligation, taking into account the legal grounds listed item by item in the relevant statutory regulation. The data processing shall, in all its phases, comply with the purpose of the data processing, the recording and processing of data must be fair and lawful (“lawfulness, fairness and transparency”).

2. Whenever the legal grounds for data processing changes, the data subject must be informed during the process – the information will be provided both in the individual contracts and in this notice: the data processing may be established based on consent, although, when a contract is made, the legal grounds will change from ‘consent’ to ‘contract conclusion’ – if we are required to preserve the contract in order to comply with statutory obligations, the legal grounds for processing will be ‘compliance with statutory obligations. (“Provision of information”)

3. Only such amount of personal data may be processed that is essential for achieving the purpose of the data processing, and that is suitable for achieving this purpose. The personal data may only be processed to the extent and for the period of time required for the achievement of such purpose (“purpose limitation”, “data minimisation”).

4. In order to provide for accurate and up-to-date data processing, the Controller shall take every reasonable step to ensure that personal data that are inaccurate are erased or rectified without delay (“accuracy”).

5. Controller applies appropriate technical measures to provide for the secure storage of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (“integrity and confidentiality”).

Controller shall be responsible for, and be able to demonstrate compliance with, the above basic principles (”accountability”).

V. Legal grounds for data processing

Pursuant to the provisions of the Information Act and the GDPR, personal data may be processed only on one of the following legal grounds:

• consent (may be requested if the remaining five legal grounds do not apply to data processing);
• contract conclusion;
• fulfilment of reporting obligations;
• protection of the data subject’s vital interests; 
• exercising public interest or public authority;
• enforcement of legitimate interests

We wish to remind the data subjects that, if they do not provide their own personal data, it is the duty of the data provider to obtain the consent of the data subject.

VI.1. Range, method of collection and storage period of data processed based on consent – legal ground: Article 6 (1) a) of the GDPR

VI.1.1. Data collection on the Contact page of the website

1. Fact of the data collection, range of data processed and purpose of data processing:

2. Range of data subjects: the natural persons who complete the contact form on the website. Preconditions for contacting are: familiarity with this Privacy Notice and the acceptance of the provisions contained herein.

3. Duration of data processing: until the date of erasure of the data, i.e. until the data subject requests erasure of data. The data is reviewed by the Controller once every year.

4. Persons authorised to access the data, recipients of the personal data: the personal data may be processed by the Controller or by the Controller’s duly authorised employees, in accordance with the provisions of this notice.

5. Please be informed that

• data processing is required for answering questions.

• your failure to provide data or to consent to data processing will have the consequence that I will be unable to respond to your inquiry;

• for spam-checking purposes, the data subjects are filtered by Google’s reCaptcha service.

VI.1.2. Customer relations

1. If the Controller contacts the data subjects via any of the contact details listed below, the consent shall be deemed to be given through the inquiry – otherwise, e.g. in the case of a request submitted by e-mail, we will not be able to answer. If this method of contacting is applied, the Controller will provide the following information:

2. Fact of the data collection, range of data processed and purpose of data processing:

3. Range of data subjects: all those, who liaise with the Controller by telephone / e-mail / personally.

4. Duration of data processing, deadline for data erasure: until withdrawal of the consent to data processing. The data is reviewed by the Controller once every year.

5. Persons authorised to access the data, recipients of the personal data: the personal data may be processed by the Controller or by the Controller’s duly authorised employees, in accordance with the provisions of this notice.

6. Please be informed that

• data processing is required for liaison purposes.

• your failure to provide data or to consent to data processing will have the consequence that we will be unable to lawfully liaise with the data subject or to respond to their inquiry.

VI.1.3. Newsletter

1. Pursuant to Section 6 of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions relating to Commercial Advertising Activities, User / Data Subject have provided their express prior consent to the Service Provider / Controller to provide them with current information or to contact them using the contact details provided upon registration.

2. Furthermore, subject to the provisions of this Notice, the data subject agrees that the Controller will process his/her personal data required for the activities listed in section 1.

3. Controller will not send any unsolicited newsletters, and the data subject may unsubscribe from receiving offers, free of charge, without limitation or justification. In this case, Controller will erase from its record all personal data – which is necessary for sending newsletters – and will no longer contact the data subject with any further newsletters. Data Subject may unsubscribe from the newsletter by clicking the link in the message.

4. Fact of the data collection, range of data processed and purpose of data processing:

5. Range of data subjects: all data subjects subscribing to the newsletter.

6. Purpose of data processing: to send electronic messages (e-mails) presenting the Controller’s activity to the data subject, to provide information on current information, products, events, articles, etc.

7. Duration of data processing, deadline for data erasure: until withdrawal of the declaration of consent to data processing. i.e. until unsubscription.

8. Persons authorised to access the data, recipients of the personal data: the personal data may be processed by the Controller or by the Controller’s employees, subject to observance of the above basic principles.

9. Please be informed that

• where the processing is based on your consent and on the Controller’s legitimate interest;

• we can only send newsletters if you provide us with your personal information as specified above;

10. The data subject may unsubscribe from the newsletter at any time, free of charge.

IV.1.4. Commenting on a blog

Anyone wishing to comment on the blog on the Controller’s website is required to have a Facebook profile. Controller does not store the comments or process the data separately. The legal grounds for data processing is the data subject’s consent. The comments may be deleted by the data subjects, unless such comments are generated that are incompatible with the Controller’s ethical principles. In such cases, the Controller reserves the option to permanently delete the entry from the page.

V.1.5. Service rating, recommendation on website

1. Data subjects may score the individual services and they can write textual ratings on them. If this method of contacting is applied, the Controller will provide the following information:

2. Fact of the data collection, range of data processed and purpose of data processing:

3. Range of data subjects: all those data subjects who enter a rating on the Controller’s website.

4. Duration of data processing, deadline for data erasure: until withdrawal of the consent to data processing. The data is reviewed by the Controller once every year.

5. Persons authorised to access the data, recipients of the personal data: the personal data may be processed by the Controller or by the Controller’s employees, subject to observance of the above basic principles.

6. Please be informed that

• data processing is necessary for the publication of the rating.

• your failure to provide data or to consent to data processing will have the consequence that we will be unable to publish the data subject’s opinion.

VI.1.6. Social media sites

1. Fact of the data collection, range of data processed:

Registered name on the Facebook / Instagram social media sites or the user’s public profile image.

2. Range of data subjects: all data subjects who have registered on the Facebook / Instagram social media site and “liked” the website.

3. Purpose of data collection: on the social media sites, the sharing, “liking” or promoting of specific content elements, products, actions of the website or the website itself, or the presentation of the company, expression of an opinion or initiating a contact. Data that can be interpreted from the point of view of data processing is not extracted from this site, and the statistics, if any, are irrelevant in terms of data processing.

4. Duration of data management, deadline for data erasure, potential Controller persons authorised to access the data and presentation of the data subject’s rights related to data processing: the data subject will find information on the source and processing of the data, the manner of, and the legal grounds for, transferring on the relevant social media site. Since the data processing is carried out on the social media sites, the duration and method of processing and the possibilities for erasure and modification of data are governed by the regulation of the given social media site.

5. Legal grounds for data processing: the data subject’s voluntary consent to the processing of his/her data on community sites.

VI.1.7. Cookies

VI.1.7.1. Tasks of the cookies:

• to gather information on visitors and their tools;
• memorise the visitors’ custom settings that will (may) be later used e.g. when requesting online transactions, so they need not be entered again;
• facilitate the use of the website;
• provide for a quality user experience.

In order to provide customised service, a small data package, a so-called “cookie” is placed on the user’s computer, which will later be retrieved during subsequent visits. If the browser returns a previously saved cookie, then the service provider managing the cookie has the option of linking the user’s current visit to the previous one, but only in respect of its own content. Cookies do not contain personal information and are not suitable for identifying an individual user. Cookies often contain a unique identifier – a secret, randomly generated sequence of numbers – stored on the data subject’s device. Some cookies will cease after the website is closed and some will be stored on the visitor’s computer for a longer period of time.

If the visitor wishes to block the activities related to cookies or to delete any data files placed on the computer during previous visits, they can find the necessary instructions on the following pages:

For Firefox
In Internet Explorer

In Chrome,
In Edge.

Some browsers also allow you to automatically delete your browsing data every time you close it. Click here for more information.

VI.1.7.2. Mandatory session cookies

The purpose of these cookies is to allow visitors to browse the Controller’s website thoroughly and without any disturbance, to use its functions and the services available there. The validity period of this type of cookies runs until the session (browsing) ends, and when you close the browser, this type of cookie is automatically deleted from the computer or from any other device used for browsing.

VI.1.7.3. Third-Party Cookies (Analytics)

We also use Google Analytics as third party cookies on our website. By using Google Analytics for statistical purposes, we collect information about how visitors use web pages. The data is used to improve the website and improve the user experience. These cookies will also remain on their visitor’s computer or on any other device used for browsing until they expire, or until the visitor deletes them.

We have linked our site to several social media sites (Facebook, Instagram). These social media sites also place cookies on visitors’ pages that may contain personal data. The Controller does not see or process this data. Such cookies may be disabled by data subjects in the browser of their own computer.

VI.1.8. Withdrawal of consent

The consent can be withdrawn at any time in the same easy way as it was given.

In the case of a newsletter, the consent can be revoked by clicking on the unsubscribe link at the end of the newsletter.

In the case of a Facebook page, the ‘Like’ can be withdrawn, and the private message or comment can be deleted.

The Controller also deletes the data manually if a request to that effect is sent to the (…) email address.

A legitimate data processing preceding the withdrawal of the consent is considered to be legitimate after deletion as well.

The time limit for storage by consent is, on the one hand, the withdrawal of consents as listed above or the unsubscription, and, on the other hand, the annual review of the data by the Controller. The data is stored on a computer protected by a password and by an antivirus software. Considering that, in exceptional cases, the Controller also signs paper-based contracts, these are stored in a separate lockable cabinet. 

VI.2. Contract and legal obligation – as legal grounds: Article 6 (1) b) and c) of the GDPR

VI.2.1. Data processing applicable to registered users in the case of purchasing

1. The Controller processes the data required for the purchase /lease/ of the service provided in the webshop on the legal grounds of the contract concluded with the data subject.

2. Fact of the data collection, range of data processed and purpose of data processing:

3. Range of data subjects: all data subjects ordering the service.

4. Duration of data processing, deadline for data erasure: for 5 years following fulfilment of the order (limitation period under the Civil Code).

5. Persons authorised to access the data, recipients of the personal data: the personal data may be processed by the Controller or by the Controller’s duly authorised employees, in accordance with the provisions of this notice.

6. Please be informed that

• data processing is necessary for the performance of hte contract.

• your failure to provide data or to consent to data processing will have the consequence that we will be unable to lawfully liaise with the data subject or to perform the contract.

VI.2.2. Data processing related to invoicing

In some cases, keeping a record of the invoicing information and issuing an invoice is a statutory obligation for the Controller. If the client data subject fails to deliver the requested data, and the issue of the receipt is not sufficient for the buyer, we will be unable to issue an invoice to a natural person due to insufficient data, and thus the conclusion of a contract with the data subject will be impossible.

When contracting a legal person, the contract between us may contain personal information, such as the name, telephone number, e-mail address of the relationship manager or the name of the legal representative. The availability of this data is a condition for contract conclusion. In these cases, the legal grounds for data management is not consent but contracting.

Controller stores the invoicing name and address for the period stipulated by law, on a computer protected by a password and by an antivirus software.

VI.3. Designation of legitimate interest – as legal grounds: Article 6 (1) f) of the GDPR

Controller classifies in this category all those collaborators who are not present in the business as interested parties or customers, but with whom it works together on a specific aspect of the business.

We store your contact information – name, phone number, e-mail address, registered office, home address – after personal meetings or online contact, and we do not forward it to third parties, except when we fulfill our legal obligations.

The Controller stores its business partners’ data (name, e-mail address, phone number, registered office, home address) until the end of the business relationship or until erasure is requested, on a computer protected by a password and by an antivirus software.

VII. Security measures

In the course of the business activity, the Controller provides for the processed data applying appropriate security measures. Our goal is to prevent unauthorised access to the data in whatever manner. Our computers are protected by passwords and by the AVG Free and McAfee Security antivirus software. We can use our phones after double pin identification. We can log in to mailing systems or to Facebook only after identification. We apply SSL encryption on our website.

When designing appropriate security measures, we have taken into account the current state of science and technology, the nature, scope, context and purposes of data processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

VIII. Data processors

In our business we use the services of the data processors listed below:

Hosting service:

RACKFOREST KFT.

Correspondence address: 1132 Budapest, Victor Hugo u. 18-22.

E-mail: info@rackforest.com

Tel: +36 70 881 4184

Website: rackforest.com

(Access to the full content of the website.)

Newsletters:

Mailchimp

(Access to the name and email address of the newsletter subscribers?)

Receiving and sending e-mails:

Gmail – Google Inc., Mountain View, California, USA

(Access to correspondence and all the related data.)

Webshop operator:

Controller

• E-mail: (…)
• Website: https://lottirose.com/

(Access to the full content of the website.)

WordPress WooCommerce plugin

• Automattic Inc., San Francisco, California, USA
• Website: https://automattic.com/, https://woocommerce.com/

(No data access)

Invoicing:

(NAME, CONTACT DETAILS, E-MAIL ADDRESS)

(Access to invoices issued.)

Facebook side:

Facebook Inc.

Menlo Park, California, USA

Information on data processing: https://www.facebook.com/about/privacy/update

(Access to the user’s name and comments.)

Facebook pixel:

Facebook Inc.

Menlo Park, California, USA

(Access to HTTP header [IP address, page location, redirect, user agent], pixel ID, Facebook cookie.)

Google Analytics:

Google Inc., Mountain View, California, USA

(Access to anonymous, non-personal IP address of visitors to the website.)Instagram share button:

Instagram – Facebook Inc., Menlo Park, California, USA

Privacy Notice: https://www.instagram.com/legal/privacy/                                             

(Access to visit details)

IX. Transmission of the data subjects’ data to third countries

Data is transferred to the United States of America, with whom an adequacy decision was made on 12 July 2016.

(https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en), which is observed by

• Google
• (https://policies.google.com/privacy/frameworks),
• Facebook (https://www.facebook.com/about/privacyshield)
•  and Instagram, as a Facebook-owned company

as well.

In order to fulfil the contract, when ordering certain services, the data of clients will be forwarded to the following service providers:

1. In case of transport services: Büki-Bitai Veronika, entrepreneur, 1172 Bp. XI. street 12. Tel.06303120499, e-mail: bitaiveronika@gmail.com
2. In case of guide services: Best Step Guide Ltd.. 1145 Budapest, Törökőr street 61. Tel: 06204005790, e-mail: hello@budastep.hu
3. In case of photography services: Nizo Certus Ltd. 1028 Budapest, Fuvola street 6. Tel: 06309152252, e-mail: office@businesscontacts.hu

The following data will be forwarded to a third party with the purpose to connect: name, phone number, e-mail address. Third party will handle data as data processing, meaning he does not use it for any other purpose, does not forward it to anybody and after the fulfilment of the service he is obliged to delete the data.

X. Rights of the data subjects

X.1. Transparency and the data subjects’ access to personal data

In compliance with the statutory regulations and with our own mission statement, the Controller strives to make all information available to the data subjects transparent and easy to understand, on an interface that is easily accessible to the data subjects.

The data subjects are entitled to request feedback on whether the processing of their personal data is currently in progress, and, if so, they may be provided access to the following information managed by the Controller:

• purposes of data processing;
• categories of the data subject’s personal data;
• the recipients to whom or to which the personal data has been or will be disclosed, including recipients in third countries and international organisations;
• the envisaged period for which the data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
• designating the right to lodge a complaint with a supervisory authority;
• where personal data is not collected from the data subject, any available information regarding its source;
• the existence of automated decision-making – for example, the use of their data for profiling.

The above information will be made available to the applicant free of charge within 30 days of receipt of the request.

X.2. Right to rectification and right to erasure

The data subjects are entitled to request that the personal data concerning them be rectified or supplemented.

If one of the following cases occurs, I, as Controller, am obliged to delete the personal data of the data subjects without undue delay:

• the personal data is no longer necessary in relation to the purposes for which we have collected or otherwise processed it;
• the data subject withdraws the consent on which the processing is based, and there is no other legal ground for the processing;
• the data subject objects to the processing, and there are no overriding legitimate grounds for the processing;
• we have processed the personal data unlawfully;
• the personal data must be erased to comply with a legal obligation stipulated by a European Union or Member State law, to which the Controller is subject;
• the personal data has been collected in connection with the offering of information society services.

Personal data is not required to be deleted if it is used for the purpose of exercising the right of freedom of expression and information; or if data processing is required for the establishment, exercise or defence of legal claims. In the event of such a situation, the data subject must be informed of the above.

X.3. Right to restriction of processing

The data subjects shall have the right to request restriction of processing, if:

• they contest the accuracy of the personal data, until the inaccuracy is clarified
• data processing is unlawful, and they request that the use of the data be restricted rather than its erasure;
• we no longer need the personal data for the purposes of the processing, but it is still required by the data subjects for the establishment, exercise or defence of legal claims;
• the data subject has objected to its data being processed on grounds of legitimate interests; in this case the restriction shall apply to the period until it is established that the Controller’s legitimate grounds override those of the data subject.

Where processing has been restricted, the personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

The data subject shall be informed of the lifting of the restriction.

X.4. Right to data portability

If the legal ground for data processing is consent or a contract, and processing is carried out by automated means, the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to me, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller, provided that this is technically feasible.

The right to data portability shall not adversely affect the rights and freedoms of others.

X.5. Right to object

The data subject shall have the right to object at any time to the processing of personal data concerning him or her, including profiling based on the above-mentioned provisions. In the event of objection the Controller may no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or which are related to the establishment, exercising or defence of legal claims.

X.6. Automated individual decision-making, including profiling

The Controller informs the data subjects that it profiles the persons subscribing to the newsletter. During the profiling process it determines, by technical means, whether the newsletter subscribers have previously viewed the webshop based on the newsletter, what products they have viewed, what they have purchased or whether they have made any purchases at all, and it will send a newsletter based on that information, in line with the data subjects’ sphere of interests. This activity is intended to provide a better user experience and has no legal effect on the data subject other than the recommendation of products and special offers, and therefore does not conflict with the provisions of Article 22 of the GDPR.

XI. In case of complaints

We process the data subjects’ personal data with the greatest care.

In spite of the above, if you have any complaints or questions, please feel free to contact us at the (…) e-mail address, and we will try to remedy the problem within our own competence.

The data subjects are, of course, entitled to go to court to enforce their claims. Disputes related to violations of data processing principles and procedures are within the jurisdiction of the tribunal, and litigation may be initiated in the court of the data subject’s place of residence.

We are open to participate in the mediation process at any time before or during the initiation of any litigation related to our data processing.

Furthermore, any complaint or question related to personal data may be referred by the data subject to the National Authority for Data Protection and Freedom of Information (1125 Budapest, Szilágyi Erzsébet fasor 22/c., postal address: 1530 Budapest, Pf.: 5., email: ugyfelszolgalat@naih.hu, website: http://www.naih.hu).

XII. List of relevant statutory regulations

• Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
• ·       Act CXII of 2011 on Informational Self-Determination and Freedom of Information;
• Act XLVII of 1997 on Processing and Protection of Medical and Other Related Personal Data;
• Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions relating to Commercial Advertising Activities;
• Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services;
• ·       Act V of 2013 on the Civil Code;
• ·       Act LXXVI of 1999 on Copyright;
• Government Decree 45/2014 (II.26.) on the detailed rules governing contracts between consumers and companies
• Act CL of 2017 on Taxation;
• Act CXXVII of 2007 on Value Added Tax